“Vulnerable versions of Vera and Wink could be attacked through HTTP requests,” Young added. “These requests may come from a malicious web page (as demonstrated at IID on the Vera), a phone app on the LAN, or a malicious user on the LAN directly connecting to the vulnerable device. In the case of Vera, the attacker can directly supply commands to run on the Vera’s embedded operating system. In the case of Wink, the attacker would inject SQL commands to trick SQLite into creating a PHP script on the device. A subsequent request can then trigger execution of the PHP code with root permissions.”

The SmartThings hub had the least serious vulnerability as it was vulnerable to improper certificate validation. The holes in both SmartThings and Wink were patched, but that means the user must apply the patches. In the case of SmartThings, a mandatory update was pushed out in February. A spokesperson said, “Any inactive hub that was not updated, cannot connect to the SmartThings service and is automatically redirected to an update server.”

As the Internet of Things evolves over the course of the next few years, expect to see a lot more vulnerabilities exposed as the manufacturers creating these devices are not including security in the design stages of their products. IoT increases the cyber attack surface and will be a huge platform malicious actors – likely cyber criminals – will attempt to leverage to gain access to private data for nefarious purposes.

SCOTT (すこっと)

Scott (すこっと) is a cyber security, threat intelligence strategist, and technology evangelist working and living in Tokyo. In addition to his day job, Scott is fascinated by the future of computing, the technology industry, privacy, encryption, mobile apps, politics, & Japan. Scott enjoys taking pictures with his iPhone and sharing them freely online, primarily on Instagram.